AEPD (Spain) - EXP202303754: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 63: Line 63:
}}
}}


The AEPD fined an investment company €180,000 because it lacked a legal basis when it transferred a data subject's funds without prior authorisation, as required by the contract, or another form of valid consent. The controller was ultimately fined of €180,000.
The AEPD fined an investment company €180,000 because it lacked a legal basis when it transferred a data subject's funds without prior authorisation, as required by the contract.  


== English Summary ==
== English Summary ==
Line 74: Line 74:
The data subject subsequently filed a complaint with the Spanish DPA (AEPD). In response to the complaint, the controller stated that it received several orders for investment operations on 2 June 2021 from the data subject. The controller claimed instead of using the electronic channel, the data subject had requested a paper signature system, so an agent used their own employee PIN authorisation system via the controller’s application to record the data subject’s request on paper. The controller argued that in this case, the representative was entitled to electronically order the transfer of funds with their own passwords and electronic signature and subsequently obtain the ratification of the data subject. However, the data subject did not ratify the request. Due to this absence of ratification, the controller sent the data subject a communication offering the possibility of revoking the transactions and being compensated. The data subject did not respond to this communication. The controller did not provide evidence that the data subject had initiated the transactions. In order to mitigate discrepancies that could occur in written signatures, the controller stated that it adopted corrective measures as recommended by its DPO.  
The data subject subsequently filed a complaint with the Spanish DPA (AEPD). In response to the complaint, the controller stated that it received several orders for investment operations on 2 June 2021 from the data subject. The controller claimed instead of using the electronic channel, the data subject had requested a paper signature system, so an agent used their own employee PIN authorisation system via the controller’s application to record the data subject’s request on paper. The controller argued that in this case, the representative was entitled to electronically order the transfer of funds with their own passwords and electronic signature and subsequently obtain the ratification of the data subject. However, the data subject did not ratify the request. Due to this absence of ratification, the controller sent the data subject a communication offering the possibility of revoking the transactions and being compensated. The data subject did not respond to this communication. The controller did not provide evidence that the data subject had initiated the transactions. In order to mitigate discrepancies that could occur in written signatures, the controller stated that it adopted corrective measures as recommended by its DPO.  


On 31 May 2023, the AEPD resolved to archive the claim because it lacked sufficient evidence to find an infringement of the GDPR.  The data subject appealed the resolution and clarified that the June investment orders were not authorised by the data subject’s PIN or signature, but rather by the agent’s own account and PIN. The AEPD reopened the investigation pursuant to the appeal.
On 31 May 2023, the AEPD resolved to dismiss the claim because it lacked sufficient evidence to find an infringement of the GDPR.  The data subject appealed the resolution and clarified that the June investment orders were not authorised by the data subject’s PIN or signature, but rather by the agent’s own account and PIN. The AEPD reopened the investigation pursuant to the appeal.


=== Holding ===
=== Holding ===
The AEPD found that the controller lacked a legal basis. The controller was ultimately fined of €180,000.
The AEPD found that the controller lacked a legal basis and imposed a fine of of €180,000 on the controller.


Despite the contractual relationship between the parties, the AEPD found that [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. In addition, since there was no evidence that consent was obtained from the data subject in any case, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] also did not provide a legal basis.   
Despite the contractual relationship between the parties, the AEPD found that [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. In addition, since there was no evidence that consent was obtained from the data subject in any case, [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] also did not provide a legal basis.   

Latest revision as of 09:03, 17 July 2024

AEPD - EXP202303754
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 25.06.2024
Fine: 180,000 EUR
Parties: Mapre Inversión Socidedad de Valores, S.A.
National Case Number/Name: EXP202303754
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The AEPD fined an investment company €180,000 because it lacked a legal basis when it transferred a data subject's funds without prior authorisation, as required by the contract.

English Summary

Facts

A data subject and his spouse were clients of Mapre Inversión Socidedad de Valores, S.A. (the controller), an investment securities company. The data subject entered into an asset management contract with the controller which authorised it do manage his funds and carry out investment operations on his behalf. The contract required express authorisation by both parties prior to all investment operations. Since contracting with the controller, the data subject always opted for an electronic channel authorising transactions with his passwords and electronic signatures.

However, on 2 June 2021, the controller executed various transfer orders of the data subject’s funds, initiating six investment operations, without the data subject’s prior authorisation or consent. The data subject contacted the controller concerning the transfers, which acknowledged the irregularity and stated that there had been malpractice on the part of an agent. The controller offered to compensate economic damage and return the data subject’s account to its prior status. The controller did not respond to the data subject’s questions concerning how the issue occurred (such as whether his signatures were forged).

The data subject subsequently filed a complaint with the Spanish DPA (AEPD). In response to the complaint, the controller stated that it received several orders for investment operations on 2 June 2021 from the data subject. The controller claimed instead of using the electronic channel, the data subject had requested a paper signature system, so an agent used their own employee PIN authorisation system via the controller’s application to record the data subject’s request on paper. The controller argued that in this case, the representative was entitled to electronically order the transfer of funds with their own passwords and electronic signature and subsequently obtain the ratification of the data subject. However, the data subject did not ratify the request. Due to this absence of ratification, the controller sent the data subject a communication offering the possibility of revoking the transactions and being compensated. The data subject did not respond to this communication. The controller did not provide evidence that the data subject had initiated the transactions. In order to mitigate discrepancies that could occur in written signatures, the controller stated that it adopted corrective measures as recommended by its DPO.

On 31 May 2023, the AEPD resolved to dismiss the claim because it lacked sufficient evidence to find an infringement of the GDPR. The data subject appealed the resolution and clarified that the June investment orders were not authorised by the data subject’s PIN or signature, but rather by the agent’s own account and PIN. The AEPD reopened the investigation pursuant to the appeal.

Holding

The AEPD found that the controller lacked a legal basis and imposed a fine of of €180,000 on the controller.

Despite the contractual relationship between the parties, the AEPD found that Article 6(1)(b) GDPR did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to Article 6(1)(b) GDPR. In addition, since there was no evidence that consent was obtained from the data subject in any case, Article 6(1)(a) GDPR also did not provide a legal basis.

The AEPD recommended a sanction of €300,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

1/23








     File No.: EXP202303754



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                 BACKGROUND

FIRST: On May 31, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against MAPFRE

INVERSIÓN SOCIEDAD DE VALORES, S.A (hereinafter, the claimed party),
through the Agreement transcribed:

<<


File No.: EXP202303754
Sanctioning Procedure No.: PS/00236/2024

           AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following

                                     FACTS

FIRST: A.A.A. (hereinafter, the claiming party) dated July 4, 2023

filed a claim with the Spanish Data Protection Agency. The
claim is directed against MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A
with NIF A79227021 (hereinafter, the claimed party/MAPRE INVERSIONES). The
The reasons on which the claim is based are the following:


- That he is a client, together with his wife (B.B.B.), of the MAPFRE entity
    INVERSIONES, with which a wealth management contract was signed that
    enabled the claimed entity to manage the funds that had been
    deposited, and carry out investment operations with them, always prior to
    express authorization of both, by handwritten or electronic signature.

- States that, however, on June 2, 2021, the claimed party
    executed several orders to transfer the deposited capital, acquiring six funds
    investment, without their authorization, not knowing the method that was used to
    impersonate your signature and consent.
- That it was the claimant who became aware of the 6 investment operations at
    casually consult the MAPFRE INVERSIONES APP that is used to

    the contracted investment management.
- In view of what happened, the claimant contacted the claimed party and stated
    that it recognized its irregular actions, sending the complaining party
    receipts of the controversial transfers, and stating in an email

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23








    email of 11-26-21 that there had been "malpractice on the part of the
    representative of the claimed party”, offering to "remake the original situation
    before executing the controversial operations, compensating for possible damage
    economic valuation".
- That the claim remains unanswered regarding the questions raised by the

    claimant regarding the means according to which those
    instructions, not knowing if their signatures were supplanted, or if there was a use
    fraudulent Logalty certificate (mechanism used for electronic signature
    of said operations), since up to now it has not provided the
    signature and consent documents for said operations.


Along with the claim, provide:

- Document 1. Screenshots of 12 transfer orders among which
    find the 6 controversial investment orders.
- Document 2. The receipts of said transfers provided by the defendant.

- Document 3. List of movements in the account portfolio obtained to date
    from 15-6-21.
- Document 4. Tax information corresponding to the 2021 financial year of the portfolio that
    work in the MAPFRE APP.
- Document 5. Copy of the email messages exchanged between the
    complaining and claimed party, in which the former requests explanations and is

    responds that they have forwarded the matter to the corresponding department and that
    is pending resolution. Specifically, emails from 17 of
    June, June 18, June 23, June 25, September 3, and September 6
    2021, exchanged between the claimant and the director of Mapfre Gestión
    Patrimonial.
- Document 6. Writing presented by the claimant's lawyer before MAPFRE on the 15th

    November 2021.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the

actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on April 4, 2023, as

It appears in the acknowledgment of receipt that is in the file.

FOURTH: On May 4, 2023, this Agency received a letter from
response from the respondent indicating that:


- The defendant signed with the claimant and Mrs. B.B.B. a framework contract
    financial products and services dated January 28, 2018.

- On 2-6-21 the agent who acted as representative of MAPFRE INVERSIONES
    (C.C.C., hereinafter, the representative of Mapfre) received several orders of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23








    investment operations formulated by the claimant, and “following the
    order execution procedure that was implemented as of 2-6-21
    in the entity, the representative of MAPFRE INVERSIÓN chose to use the

    paper signature system. In this context, the representative introduced in the
    Mapfre Inversión application your professional mobile phone on which you received the
    PIN code, which allowed him to sign the orders given by D through LOGALTY.
    A.A.A., so that they could be ratified by the client through their handwritten signature
    on paper".



- The claimant states that, for unknown reasons, despite having
    ordered such operations, the claimant later refused to ratify the
    operations that he had ordered by means of his handwritten signature.



- After several attempts at a solution, the defendant sent a communication to the
    claimant on 11-26-21 in which he was offered the possibility of revoking the orders
    and compensate him for the damages, without the claimant answering in this regard.


- That he has learned that the claimant has proceeded to reimburse

    the funds acquired between June 11 and 15, 2021, “so that the
    result of the operations was assumed by the claimant, depriving Mapfre of
    the possibility of acting in any sense with respect to them.”


- In order to mitigate discrepancies that arise in signing procedures

    on paper, the defendant has adopted the corrective measures that have been
    recommended by your Personal Data Protection Officer, dated
    July 15, 2021.



- That the controversy concerns the existing discrepancies regarding the form and
    compliance with the framework contract signed with the appellants, for the resolution of which
    There are other ways, and there is no non-compliance in the treatment of the
    protection of personal data of the appellants that is the responsibility of this
    Agency.


The following documentation is attached:

- Document 1. Framework contract for financial products and services signed between the
    claimant and the claimed entity and acceptance document and signatures of 28
    January 2018.

- Document 2. Email sent by the defendant to the claimant on December 26
    November 2021, where it refers to the “malpractice” of the representative
    that executed the 6 investment orders.
- Document 3. Report corrective measures implemented by the defendant.


THIRD: On May 31, 2023, after analyzing the documentation that
appeared in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, agreeing to file the claim for not attending the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23








said moment sufficient probative elements of the occurrence of an infraction
that could undermine the principle of presumption of innocence. The resolution was
notified to the appellant, on June 9, 2023, as proven

on the record.

FIFTH: On July 4, 2023, the claimant and the joint owner of the aforementioned
contract of which the relationship between the defendant and the claimant arises, they file a
optional appeal for replacement through the Electronic Registry of the AEPD, against
the resolution fell in file EXP202303754, in which it shows its

disagreement with the contested resolution and requests that the processing of the
initial claim filed.

On February 16, 2024, the appeal filed was sent to the claimed party.
within the framework of the provisions of article 118.1 of Law 39/2015, of October 1,

of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP) for the purposes of formulating the allegations and presenting the
documents and supporting documents that it deems appropriate.

After the request and granting of an extension of the deadline to make allegations against the
appeal filed, the defendant presented a response document dated March 1

from 2024, in which:

- Considers reproduced the allegations contained in his previous writing, insisting
    in which the controversy raised must be resolved by other instances or means,
    because it is not the material responsibility of this Agency.

- Clarifies that the keys were not used in any case to organize the investments
    and Pin of the appellants nor the signature that appears for them on the Logalty certificate, but
    that the agent who carried them out used his own account and user passwords.
- Adds that a meeting was held with the appellant on 6/21/21 in which he
    refused to sign the ratification or revocation of the investment orders, even though

    was offered this alternative, so there is no documentation of
    ratification of signature of these operations by the appellants.
- The representation contract signed by Mapfre Inversiones with the
    agent who was in charge of executing these investment operations as
    Document 1.


In view of the allegations and documentation provided by the appellant and
appealed, on May 10, 2024, a Resolution is issued by the
Director of the Spanish Data Protection Agency, in which the
appeal and the admission of the claim for processing is agreed, since by not
the ratification of the investment operations by the appellants has been proven,

There are indications of a possible lack of legitimacy of the entity claimed to
process the personal data of the claimants when carrying out the 6 operations of
controversial investment.

FOURTH: According to the report collected from the AXESOR tool, the entity

MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A of May 27, 2024, is a
large company established in 1989, and with a turnover of
€52,959,024 in 2022.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23








                           FOUNDATIONS OF LAW

                                           Yo

                             Competence and procedure

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II

                                  Previous issues

The name, surname, NIF and account numbers of the claimant and his wife, who
appear in the 6 capital transfer orders and acquisition of investment funds
which were carried out by the defendant charged to the account contracted by both,

are considered personal data, the processing of which is subject to the regime provided for in the
RGPD, as well as its development provisions, in accordance with the provisions of the
article 4.1, and 4.2 of the GDPR, which provides the following:

    “Article 4 Definitions


    For the purposes of this Regulation it will be understood as:


    1) "personal data": any information about an identified natural person or

    identifiable ("the interested party"); Any identifiable natural person will be considered
    person whose identity can be determined, directly or indirectly, in
    particular by means of an identifier, such as a name, a telephone number,

    identification, location data, an online identifier or one or more
    elements of physical, physiological, genetic, psychological identity,
    economic, cultural or social of said person;



    2) "treatment": any operation or set of operations performed on
    personal data or sets of personal data, whether by procedures

    automated or not, such as the collection, registration, organization, structuring,
    conservation, adaptation or modification, extraction, consultation, use,
    communication by transmission, broadcast or any other form of enabling

    access, collation or interconnection, limitation, deletion or destruction;(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23








In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
that the claimed entity has processed personal data when executing
on behalf of the claimant and his wife 6 fund transfer operations for

capital acquisition obtained from the “LOW DURAT EURO COVER” investment fund
BC AC EUR” (hereinafter, investment funds) dated June 2, 2021, with
charge to the cash account that they contracted with MAPFRE INVERSIONES in the
year 2018.

Fund transfer orders that have been provided as Document 2 of the

claim, and that have been made by the agent/representative (C.C.C.) of the
claimed entity.

The claimed party provides two contracts:


- Framework Contract for financial services and products dated January 28, 2018
    signed between MAPFRE INVERSIONE (the entity) and the claimant and his wife
    (CLIENTS), which was provided as Document 1 of the response letter to the
    transfer (hereinafter, Framework Contract).

- Representation Contract signed between MAPFRE INVERSIONES and the

    representative C.C.C. (referred to as Agent, or C.C.C.) dated June 28,
    2019 (hereinafter, Representation Contract).

In view of the documentation provided by both parties, there is no doubt that
that the aforementioned transfer or investment orders made by the agent of the

claimed were personal data processing operations, in the sense
provided for in article 4.2 of the RGPD, since they involved access to the accounts
of the claimant and his wife and the use of the personal data that they
they contained.


Thus, as the claiming party proves when providing the transfer receipts
of funds made by the agent of the defendant to acquire these 6 investments,
It can be seen that they appear: two account numbers that are
ownership of the claimant and his wife, who appear with their name, surname and NIF.

The claim is raised in the documents presented dated May 4, 2023 and

March 1, 2024 the existence of a possible lack of material competence of this
Agency to hear the facts prosecuted, which, according to the claimant, relate
on the discrepancies between the parties regarding the execution of the contract
signed that corresponds to resolving other instances or bodies, and not on the
breach of personal data protection regulations.


However, it is worth clarifying that the aforementioned transfer/investment orders - whose
validity and legal effects corresponds to determining other bodies or instances, such as
points out the claimed - necessarily entailed for its realization the execution of
personal data processing operations to which reference has been made, which

are subject to certain requirements provided for in the regulations for the protection of
data by the person responsible for the treatment, the failure of which could lead to
an administrative offense typified therein, whose sanctioning power is
competence of this Agency.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23









In this sense, the doctrine established by the Court of Appeals is applicable to this case.
Contentious-Administrative of the National Court, is reflected, among others, in the SAN

of October 17, 2007, or in the SAN of July 3, 2007 (rec.232/2005), whose
Second Law Foundation says:

    “The appellant begins the defense of his claim alleging incompetence
    of the Data Protection Agency since the controversy concerns the
    existence or not of a certain contract and this question is of a nature

    essentially civil and, consequently, removed from its jurisdiction, according to
    art. 37 of the LOPD. Actually the Director of the Protection Agency
    of Data has not resolved on the origin or inadmissibility of the debt, but rather
    that its resolution focuses on considering certain precepts of
    the LOPD, binding as a consequence to said infractions the imposition of

    a sanction. It is enough to read the operative part of the contested resolution to
    confirm what has just been stated. And without a doubt he is fully competent to
    dictate this resolution. Another thing is that to exercise its competence it must
    carry out factual or legal assessments whose nature we could classify as
    preliminary ruling, and on which it could not adopt a final decision with effective
    against third parties. If the principle of quality of the data collected in the LOPD requires

    that the data processed by a third party referring to a person are accurate and
    truthful, the Administration specifically in charge of enforcing this
    regulations, for the sole purpose of considering this principle fulfilled or violated
    can make an assessment of the accuracy and veracity of a certain piece of information, in
    this case of the certainty of a debt, without this meaning a departure from

    their rules of competence. This ground of challenge must be rejected.”

The claimed entity is responsible for the processing of personal data
carried out in the present case, in accordance with the provisions of article 4.7 of the
GDPR, which provides the following:


    7) "responsible for the treatment" or "responsible": the natural or legal person,
    public authority, service or other body that, alone or together with others, determines
    the purposes and means of the processing; whether the law of the Union or of the States

    members determines the purposes and means of the processing, the person responsible for the
    treatment or the specific criteria for its appointment may be established by
    the law of the Union or of the Member States (…)”


In the present case, the defendant states that she hired a representative or
agent who was in charge of carrying out the aforementioned operations on his behalf. Of the
content of the Representation Contract signed with the claimant is deduced without

There is no doubt that the person responsible for the processing of the personal data managed
its agent is MAPFRE INVERSIONES.

Thus, from the “Annex for processing personal data” attached to the
Representation Contract, it follows that it is the entity (MAPFRE INVERSIONES)
It establishes the means and purposes of the processing of personal data managed by the

agent. And in Clause 10.5 thereof, it is indicated that the entity will be responsible for
the actions of the representative without prejudice to his right to initiate actions against
this in case of deviating from what was agreed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23









Consequently, if it is confirmed during the investigation that a
improper processing (unlawful in accordance with the provisions of article 6.1 of the GDPR) of

the personal data contained in the account contracted by the claimant and its
wife, MAPFRE INVERSIONES will be the presumed responsible person who will be required to
administrative responsibility for the alleged non-compliance committed,
in accordance with the provisions of article 70. 1 a) of Organic Law 3/2018, of 5
December, protection of personal data and guarantee of digital rights (in
forward, LOPPDD):


    “Article 70. Responsible subjects.

    1. They are subject to the sanctioning regime established in the Regulation (EU)
        2016/679 and in this organic law: a) Those responsible for the

        treatments. b) Those in charge of the treatments. c) The representatives of
        those responsible or in charge of the treatments not established in the
        territory of the European Union. d) Certification entities. e) The
        accredited entities overseeing codes of conduct. (…)”.

                                          III.

              Offending conduct: lack of basis for legality of the treatment.

The processing of personal data of natural persons by those responsible
must be governed by the principles related to article 5 of the RGPD, among which
which is the Principle of legality and transparency provided for in the first section

of the same, which has:

   "1. The personal data will be:
   a) treated in a lawful, fair and transparent manner in relation to the interested party
   ("legality, loyalty and transparency"); […]”


Furthermore, article 5.2 of the GDPR indicates that: “The data controller will be
responsible for compliance with the provisions of section 1 and capable of
prove it.”

In development of this principle, article 6 of the RGPD related to the “Legitimacy of the

treatment” determines in section 1 the cases in which the regulations allow
carry out the processing of personal data of a third party, which is called
“legal basis”. If any of these assumptions or conditions do not occur, the
processing will not be legitimate, or considered lawful by the RGPD:


    "1. The treatment will only be legal if it meets at least one of the following
    conditions:

    a) the interested party gave his consent for the processing of his personal data
    for one or more specific purposes;

    b) the processing is necessary for the performance of a contract in which the
    interested party is part or for the application at his request of measures
    pre-contractual;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23








    c) the processing is necessary for compliance with a legal obligation
    applicable to the data controller;
    d) the processing is necessary to protect vital interests of the interested party or of
    another natural person.
    e) the processing is necessary for the fulfillment of a mission carried out in

    public interest or in the exercise of public powers conferred on the person responsible for the
    treatment;
    f) the processing is necessary for the satisfaction of legitimate interests
    pursued by the person responsible for the treatment or by a third party, provided that
    The interests or rights and freedoms do not prevail over said interests.
    fundamentals of the interested party that require the protection of personal data, in

    particularly when the interested party is a child.
    The provisions of letter f) of the first paragraph will not apply to the treatment
    carried out by public authorities in the exercise of their functions.”

This means that it is a mandatory requirement in terms of data protection that the

claimed entity has one of these bases of legality to be able to carry out the
personal data processing operations that derive from the 6
fund transfer and investment operations referred to in this
proceedings.

In principle, given the existence of a contractual relationship between the claimant and

claimed through the subscription of the Framework Contract to which reference has been made
In the previous legal basis, it is worth analyzing whether such operations of
processing of personal data could have its legal basis in the intended cause
in article 6.1.b) of the RGPD: “b) the processing is necessary for the execution of a
contract to which the interested party is a party or for the application at his request of
pre-contractual measures”.


Regarding whether the treatment in question was necessary for the execution of the Contract
Framework signed by the defendant and claimant, the claimant maintains, in
synthesis, that:

- In accordance with the contract, fund transfer operations (operations

    investment) require your prior consent (and not subsequent ratification)
    expressed through an electronic or handwritten signature, and that since
    contracted in 2018 with the claimed party has always signed electronically
    all transfer orders for investment through its APP,
    using your passwords and electronic signature.
- That upon consulting the aforementioned APP, he realized that the agent of the defendant had

    executed the 6 transfer orders without previously obtaining their signature.
- Denies that, as the entity says, the claimant or his wife requested execution
    of these investments prior to the execution of the transfer orders.
- That the defendant proposed to ratify said orders, which he refused.
- That in an email dated November 26, 2021, the defendant

    recognized that there had been malpractice on the part of the agent, and offered to ratify the
    transfer orders or revoke them at his option, but did not indicate how it was possible
    that he had accessed his account without having his passwords, username and
    password. Email that has been provided to this procedure.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23








For its part, the defendant points out, in essence, the following relevant arguments
To determine whether there was a legal basis in the present case:

- Regarding the process of executing the orders: “On 2-6-21 the agent who
    acting as a representative of MAPFRE INVERSIONES (C.C.C.) received several

    investment operation orders formulated by the claimant”, and “following
    the procedure for executing orders that as of 2-6-21 was
    implemented in the entity, the representative of MAPFRE INVERSIÓN opted to
    use the paper signature system. In this context, the representative introduced
    in the Mapfre Inversión application your professional mobile phone on which you received
    the PIN code, which allowed him to sign through LOGALTY the orders given by

    D. A.A.A., to be ratified by the client through his handwritten signature
    on paper."

- That the procedure carried out within the framework of the contractual relationship does not
    fully compromised and guaranteed their rights and will, by requiring that the

    appellant party will ratify or revoke, by signing, the orders that in his
    name and under his instructions would have been executed by the agent.

- To avoid any damage in the event that said operations do not
    responded satisfactorily to your instructions or investment strategy
    agreed, is allowed, and was thus offered on several occasions, not only its revocation

    but also be restored to the balance sheet and products situation previously
    constituted. Both in a meeting held on 6-21-21, and in the email
    aforementioned email of 11-26-21 was offered such a solution without the
    claimant has expressed himself.

- Points out that the agent did not deviate from the procedure for issuing and signing

    operations implemented at that time in the entity, and that the system has been
    modified later, precisely to avoid this type of situation
    controversial.

- Following the events in dispute, on July 15, 2021,
    implemented modifications in the procedure for signing orders of

    paper operations, such as: establishing the minimum age of the
    client so that they can sign on paper instead of via LOGALTY, limit
    users who can authorize paper printing, establish a process for
    authorization prior to the management of the signature on paper, and limit it to a maximum of 24
    hours the possibility of printing once authorized.


Consequently, from the arguments presented it follows that it is not a question
controversial, because it has been recognized by both parties, the one referring to the fact that the
representative hired by MAPFRE INVERSIONES executed on June 2, 2021
a total of 6 fund transfer operations charged to the investment portfolio and
associated account of the claimant and his wife. Nor is it controversial the fact that

that the representative of the claimed entity did not obtain its prior authorization or
communicated this fact to the account holders, and that the defendant offered the
claimant subsequently ratify or revoke these transfer orders, without the
claimant expressly accepts neither of these two options, filing
complaint and asking for explanations about the custody of the personal data that the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23








claimed was carrying out, by having allowed his representative to order said
operations without having your electronic or handwritten signature.


The main controversial issue of the present procedure focuses on determining
If in accordance with the signed contract, it was necessary to obtain prior authorization from
the account holders to be able to execute the transfer/investment orders that
gave rise to the processing of personal data contained in your account, about which
covers this procedure. Or if, as the claimant states, the agent was
authorized to electronically order the transfer of funds with its own

keys and electronic signature, and subsequently obtain ratification of the signature
handwritten by the account holders, on paper.

Well, from the analysis of the documentation on hand, several pieces of evidence emerge.
that lead to positioning themselves in favor of the version offered by the claimant. The

The most significant evidence is the following:

- Firstly, the defendant does not expressly deny that it is necessary to obtain the
    consent of the clients, and despite stating that the agent followed the
    procedure established at that time (which allowed the agent to sign the
    operations electronically with their own passwords and signature, and, after having

    executed the same, obtain the handwritten signature of the clients on paper), incurs
    in various contradictions that lead to the opposite conclusion.

    Thus, according to their own statements and antecedents
    documented in the procedure, it is clear that the defendant apologized to the

    complainant for the “malpractice” of the agent in the email sent to the
    claimant on November 26, 2021, and maintained various contacts and even
    a meeting with the same on June 21, 2021 with the claimant for the purpose of
    offer you the option to ratify or revoke such operations. And on the other hand, he points out
    which has adopted new measures to rectify the aforementioned procedure of

    subsequent ratification on paper, implying an implicit recognition that
    This was generating irregularities.

- The Framework Contract establishes the obligation to obtain consent or signature
    prior authorization from the client to authorize payment operations or carry out any type of
    financial operation charged to them:


    Thus, according to the Tenth Stipulation of the GENERAL STIPULATIONS
    of the Framework Contract, referring to “10.1.- AUTHORIZATION OF OPERATIONS OF
    PAGO states that: “Payment operations will be considered
    authorized when the CUSTOMER has given his consent to them,

    in accordance with the provisions of these General Stipulations, as well as
    as in the respective Particular Stipulations, for each of the
    payment operations that the CLIENT and the ENTITY have agreed upon.”

    And on the other hand, in the Seventh Stipulation of the STIPULATIONS
    PARTICULARS ON CUSTODY AND ADMINISTRATION OF THE CURRENCY PORTFOLIO

    INVESTMENT, it was also specified: “So that the ENTITY can use
    own account or on behalf of another client the financial instruments that have been
    entrusted by the CLIENT or establish agreements for financing operations of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23








    securities on said instruments, the client must give his express authorization, for
    written and formalized by means of your signature or equivalent mechanism, by which
    authorizes the ENTITY to use its financial instruments in custody with the

    intended purpose and expressly accepted in the particular conditions that are
    establish, which will include: obligations and responsibility of the ENTITY
    (including the remuneration in favor of the CLIENT for lending his securities), the
    conditions of restitution and the inherent risks. The use of these instruments
    “It will be restricted to the conditions previously accepted by the CLIENT.”


- The defendant indicates that it was the claimant who initiated the service, formulating the
    investment orders that were executed by the agent, which negates the
    claimant, who claims to have been aware of them when they were already
    executed, by viewing them in the “MAPFRE Financial Portal” APP.


    Regarding this controversial issue, it should be noted that the defendant has not
    provided documentation proving that the investment order came from the
    claimant, activating the so-called “service of reception, transmission and
    execution of investment orders” which is provided for in the framework contract. Without
    This prior request is reflected in the receipts for the transfer of funds, captures
    screen of the investment orders placed, and/or lists of movements that

    were provided by the claimant.

- The procedure followed by the agent to order the transfer was not chosen by
    the client, as indicated in the Framework Contract:


    In accordance with the Seventh Stipulation of the General Stipulations of the
    Framework Contract, the provision of consent or prior authorization of the client
    It could be obtained through two possible channels, which will always be your choice.
    from the client: face-to-face channel (handwritten signature in the office), or through the internet
    (with passwords, username and electronic signature in the APP “Mapfre financial portal”):


“(…) The CUSTOMER registration process in the ENTITY and the signing of this
FRAMEWORK CONTRACT will necessarily be carried out through the in-person channel,
that is, at the MAPFRE office of your representative. This FRAMEWORK CONTRACT
It cannot be signed until the CLIENT has not presented all the documentation
required by the ENTITY.


Notwithstanding the above, once the FRAMEWORK CONTRACT is signed, the subsequent management
of any operation related to the contracted products and/or services, as well as the
contracting of new financial products or services may be carried out, at the discretion
from the CUSTOMER, either through the in-person channel (MAPFRE Office of the representative)
or, through the INTERNET, in accordance with the provisions of the following

“Stipulation regarding access and use of remote channels”

    Access and use of remote channels could be done only by
    the client, through their own password, username and electronic signature, which were
    personal to each user and non-transferable. This aspect is noted in the

    Eighth Stipulation of the General Stipulations of the Framework Contract, which
    regulates the “8. ACCESS AND USE OF REMOTE CHANNELS”, pointing out
    that:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23








        “Likewise, the ENTITY will initially automatically assign to each
       CLIENT a Password and an Electronic Signature, which must be
       modified by the CLIENT immediately after the first access,

       adhering to the alphanumeric criteria defined by the ENTITY in each
       moment. Notwithstanding the foregoing, the ENTITY reserves the right to
       whether or not to accept an interested party as a USER. (…) This elements
       (User Identifier, Password and Electronic Signature), hereinafter the
       “keys” will be personal to each USER and non-transferable, allowing
       access to operations in all those products and services in which

       said USER appears as Owner (sole or jointly owned with third parties)
       persons) or as Authorized on behalf of the Holders. (…) From this one
       moment, and once the keys have been validated by the ENTITY's systems,
       will understand that the orders transmitted to the ENTITY are instructions in
       firm, with the express consent of the CUSTOMER and, therefore, with full

       legal effectiveness. The Parties grant to orders transmitted via
       telematics, through the use of keys, identical value to consent
       rendered in writing with a handwritten signature.

   In conclusion, it follows from these clauses that the choice between both
   channels to order investments was up to the client, and not to the agent, who

   opted for the in-person procedure, ordering with his passwords and signing the
   investments, without it having been proven that it was the client (claimant and his
   wife) who had requested that the investment be made in this way. In
   In this case, in addition, the claimant states that since 2018 he had chosen
   always through the electronic channel, and authorized with your passwords and electronic signature

   each investment operation. So in this case, with more reason, the
   agent consult the customer and obtain his prior consent to switch to the channel
   in person.

   This, together with the fact that the entity also had the obligation to require their consent

   prior to being able to order a payment referred to in general stipulation 10.1,
   implies without a doubt that the agent omitted the requirement to consult and obtain the
   prior consent of the client, both to opt for the face-to-face channel, as well as
   to order payment and investment operations.

   Practice that, in addition to involving illicit processing of the personal data of the

   claimant and his wife, would violate the provisions of the “Annex on limitation of
   activity and representation services” of the Representation Contract, which indicates
   expressly that the representative: “Will not assume in any case any faculty or power
   of any management on the financial instruments owned by the client,
   limiting its activity to the reception and transmission of orders on behalf of

   clients in relation to one or more financial instruments of the Mapfre group or of
   third parties".

In conclusion, from the above it can be deduced that according to the contract signed by the parties
it was necessary for the claimant and his wife to previously authorize the use of the

face-to-face or electronic channel, and fund transfer operations to acquire
investments that were made by the agent of the claimed entity. And it appears in the
file that the agent acted in accordance with “malpractice”, ordering 6
payment and investment operations without previously obtaining authorizations

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23








necessary, which involved the use of the personal data of the owners of the
account for which he lacked legitimacy.


Therefore, it is understood the personal data processing operations carried out
by the agent of the transfer claim lacked a basis for the legality of the article
6.1.b) of the RGPD, as the processing is not necessary for the execution of the contract
frame.

The same arguments used would serve to rule out the concurrence of a

basis of legality of article 6.1.a) of the RGPD, given the lack of consent of the
claimant, and his wife, recognized by both parties. And there is no evidence that the claimed
has proven the concurrence of any other basis of legality of those provided for in the
mentioned article 6.1 of the RGPD.


Consequently, if the evidence provided by the parties to this case is confirmed
procedure during the investigation phase, this would imply that the claimed entity
processed the personal data contained in the claimant's account
and his wife when ordering the transfers of funds referred to herein
procedure, without being protected by any legal basis that would justify the legality
of the processing, which could entail a violation of article 6.1. of the GDPR.


                      IV. Classification and classification of the infraction.

The conduct of the defendant could constitute a violation of article 6.1
of the GDPR. Infraction typified in article 83.5. of the GDPR which establishes:


    "5. Violations of the following provisions will be sanctioned, according to
    with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
    In the case of a company, an amount equivalent to a maximum of 4% of the
    global annual total business volume of the previous financial year, opting

    for the largest amount:
    a) The basic principles for treatment, including the conditions for treatment
    consent in accordance with articles 5,6,7 and 9.”

For the purposes of determining the statute of limitations for the violation, the LOPDGDD qualifies
in its article 72 this violation of the RGPD is a very serious infringement. The precept

has:

   "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679
   are considered very serious and the infractions that occur will expire after three years.
   involve a substantial violation of the articles mentioned therein and, in

   in particular, the following:
   [...]
   b) The processing of personal data without any of the conditions concurring
   of legality of the treatment established in article 6 of the Regulation (EU)
   2016/679.”


                                            V
                              Sanction: Administrative fine


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23








Article 58.2 of the RGPD relates the corrective powers attributed to the AEPD as
supervisory authority, including the power to impose a fine
administrative (section i).


Without prejudice to what results from the instruction of the procedure, in this phase
initiation agreement, the imposition on the claimed party of a
sanction of administrative fine for the alleged violation of article 6.1 of the RGPD
whose responsibility is attributed to him.


Article 83 of the GDPR, “General conditions for the imposition of fines
"administrative measures", says in section 1 that the control authority will guarantee that the
imposition of fines for violations of this Regulation indicated in the
sections 4,5 and 6, comply in each individual case with the principles of effectiveness,
proportionality and dissuasive nature.


The principle of proportionality implies a correlation or adequacy between the
infraction committed and the sanction imposed, with prohibition of unnecessary or
excessive, so that the sanction is suitable to achieve the purposes that justify it.

Article 83.2. of the RGPD, through a list of criteria or factors for its

graduation, establishes the technique to achieve adequacy between the infraction and the
sanction. The precept provides:

   “Administrative fines will be imposed, depending on the circumstances of each
   individual case, as an additional or substitute for the measures contemplated in the

   Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
   administrative and its amount in each individual case will be duly taken into account.
   account:

   a) the nature, severity and duration of the infringement, taking into account the

   nature, scope or purpose of the processing operation in question, as well as
   such as the number of interested parties affected and the level of damages that
   have suffered;
   b) intentionality or negligence in the infringement;
   c) any measure taken by the person responsible or in charge of the treatment to
   alleviate the damages and losses suffered by the interested parties;

   d) the degree of responsibility of the person responsible or in charge of the treatment,
   taking into account the technical or organizational measures that have been applied in
   under articles 25 and 32;
   e) any previous infraction committed by the person responsible or in charge of the
   treatment;

   f) the degree of cooperation with the supervisory authority in order to remedy
   the infringement and mitigate the possible adverse effects of the infringement;
   g) the categories of personal data affected by the infringement;
   h) the way in which the supervisory authority became aware of the infringement, in
   particular whether the person responsible or the person in charge notified the infringement and, in that case, in

   what measure;
   i) when the measures indicated in Article 58(2) have been
   previously ordered against the person responsible or the person in charge in question
   related to the same matter, compliance with said measures;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23








   j) adherence to codes of conduct under Article 40 or to mechanisms of
   certification approved in accordance with Article 42, and
   k) any other aggravating or mitigating factor applicable to the circumstances of the

   case, such as financial benefits obtained or losses avoided, direct or
   indirectly, through infringement.”

Section k) of article 83.2 of the RGPD connects with article 76 of the LOPDGDD,
“Sanctions and corrective measures”, which states:


   "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
   may also be taken into account:
   a) The continuous nature of the infringement.
   b) The linking of the offender's activity with the performance of medical treatment.
   personal information.

   c) The benefits obtained as a consequence of the commission of the infraction.
   d) The possibility that the conduct of the affected person could have induced the
   commission of the infraction.
   e) The existence of a merger by absorption process subsequent to the commission of the
   infringement, which cannot be attributed to the absorbing entity.
   f) The impact on the rights of minors.

   g) Have, when not mandatory, a data protection delegate.
   h) The submission by the person responsible or in charge, on a voluntary basis,
   to alternative conflict resolution mechanisms, in those cases in which
   that there are disputes between them and any interested party.”


In accordance with the transcribed precepts and the information contained in the file
administrative, are taken into consideration to set the amount of the fine with which
It would be appropriate to sanction the person complained of for the violation of article 6.1 of the RGPD, the

following factors that show greater illegality or guilt of your
conduct:

    - Article 83.2.a) of the RGPD: “the nature, severity and duration of the

        infringement".

      The conduct in which the nature of the infraction attributed to the
      claimed affects a basic principle in data protection, the

      legality of the treatment, punishable as stated, with a fine of up to 20
      million euros or 4% of the turnover of the claimed party.

      The seriousness of the conduct is based on the fact that the financial institution acted without

      legitimation, illicitly processing the personal data of the two owners of the
      account (name, surname, NIF and account numbers that appeared in the
      themselves).


      It is also considered that, in accordance with what is stated in the orders of
      transfer of funds provided as Document 2 of the claim, the
      claimed carried out 6 processing operations of these personal data without

      legal basis, for an amount of 4,215 euros each, so the investment

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23








      unauthorized amounted to a total of 25,290 euros in the account corresponding to the
      investment fund from which said amounts were deducted.


      Regarding the duration of the violation for which the entity is held responsible
      claimed, it is considered that the violation was consummated on the day the
      fund transfer operations, on 2-6-21.


    - Article 83.2.b) The intentionality or negligence of the infringement:



      Although there is no apparent intention to act without legal basis on the part of the

      agent who ordered the transfers, if serious negligence is observed in the
      actions of this and the claimed entity, which claims to have been applying a
      procedure to order operations that is not provided for in the Contract

      Framework signed with the claimant, allowing its agents to execute
      orders without obtaining prior authorization from customers when choosing the
      face-to-face channel by the agent.




      Taking into consideration that in the development of its activity
      business is dedicated to investment management, which they present with relative

      frequency of these fund transfer operations, is part of the diligence
      minimum that is required from a financial entity such as MAPFRE INVERSIONES
      to ensure that the necessary technical and organizational measures are adopted

      prevent agents or employees acting on behalf of the entity
      can make these decisions without having a handwritten or electronic signature
      prior to clients.


      Regarding the degree of diligence that the person responsible for the treatment is
      obliged to deploy in compliance with the obligations imposed by the

      data protection regulations, the SAN of 10/17/2007 (Rec.
      63/2006), extrapolated to the case at hand, which indicates that: “the Court
      Supreme Court has come to understand that recklessness exists whenever it is neglected

      a legal duty of care, that is, when the offender does not behave with
      required diligence. And in assessing the degree of diligence it must be weighed
      especially the professionalism or not of the subject, and there is no doubt that, in the

      case now examined, when the appellant's activity is constant and
      abundant handling of personal data, emphasis must be placed on rigor and
      “exquisite care to comply with the legal provisions in this regard.”


      - The evident link between the business activity of the defendant and the
      processing of personal data (article 83.2.k, of the RGPD in relation to the
      article 76.2.b, of the LOPDGDD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23








      Given that in the business activity of the defendant it is essential
      processing of numerous personal data of its clients, therefore,

      taking into account the very important business volume of the financial institution
      claimed when the events occur the significance of the conduct
      infringing object of this claim is undeniable.


Thus, without prejudice to what results from the instruction of the procedure, it is
understands that in light of the aforementioned graduation circumstances, it is determined
initially a fine of €300,000 (THREE HUNDRED THOUSAND EUROS) for the
alleged violation of the provisions of article 6.1 of the RGPD.


                                          SAW
                          Imposition of corrective measures

If the violation is confirmed, the resolution issued may establish the measures

corrective measures that the offending entity must adopt to put an end to the non-compliance
of the personal data protection legislation, in this case article 6.1 of the
RGPD, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a

specified period…”

The imposition of this measure is compatible with the sanction consisting of a fine
administrative, in accordance with the provisions of article 83.2 of the RGPD.


Thus, the responsible entity may be required to adapt its actions to the
personal data protection regulations, with the scope expressed in the
previous Fundamentals of Law.


This act establishes the alleged infraction committed and the facts
that could give rise to this possible violation of the regulations for the protection of
data, from which it is clearly inferred what measures to adopt, without prejudice

that the type of procedures, mechanisms or specific instruments to
implementing them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and must decide, based on the

proactive responsibility and risk approach, how to comply with the GDPR and
LOPDGDD.

However, in this case, regardless of the above, in accordance with the

evidence that there is currently an agreement to start
sanctioning procedure, the resolution that is adopted may require

MAPFRE INVERSIONES so that, within a period of 3 months, counting from the date
of enforceability of the resolution finalizing this procedure, impart
instructions to its agents to refrain from using the personal data of

their clients arranging investments that fail to comply with the authorizations agreed in the
framework contracts for financial or wealth management products and services signed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23








by them and establish the technical means that are appropriate to
make it impossible to formalize said investment operations by signature

electronically by a person other than the client or person authorized by the client

It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the resolution of this sanctioning procedure may be

considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


Likewise, it is recalled that neither the recognition of the infraction committed nor, in its
case, the voluntary payment of the proposed amounts exempts from the obligation of
adopt the pertinent measures to stop the conduct or correct the effects of

the infraction committed and to prove to this AEPD compliance with that
obligation.

Therefore, in accordance with the above, by the Director of the Agency

Spanish Data Protection, IT IS AGREED:

FIRST: START SANCTIONING PROCEDURE against MAPFRE INVERSIÓN
SOCIEDAD DE VALORES, S.A, with NIF A79227021, for the alleged violation of the
article 6.1 of the RGPD, typified in article 83.5 of the same RGPD.


SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining and claimed party, together with its
documentation, as well as the documents obtained in the actions prior to the
initiation of this sanctioning procedure and during the appeal phase.


FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be €300,000 (THREE HUNDRED THOUSAND EUROS),
without prejudice to what results from the instruction.


FIFTH: NOTIFY this agreement to MAPFRE INVERSIÓN SOCIEDAD DE
VALORES, S.A, with NIF A79227021, granting a hearing period of ten days
competent to formulate the allegations and present the evidence that it considers
convenient. In your written statement of allegations you must provide your NIF and the number of
file that appears at the head of this document.


If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23








In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the

sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 240,000 euros, resolving the
procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 240,000 euros and its payment will imply termination
of the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding

apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 180,000 euros.


In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (240,000 euros or 180,000 euros), you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the

concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction of the amount to which it applies.

Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.


In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering

the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not
will prevent the notification from being considered fully valid.


The procedure will have a maximum duration of twelve months from the date
of the initiation agreement or, where applicable, of the draft initiation agreement. After that
period will expire and, consequently, the proceedings will be archived; of
in accordance with the provisions of article 64 of the LOPDGDD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23









Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.


                                                                             935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency

>>


SECOND: On June 20, 2024, the claimed party has proceeded to pay
the penalty in the amount of 180,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to

the facts referred to in the Initiation Agreement.

FOURTH: In the initiation agreement transcribed previously, it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


Having recognized the responsibility for the infraction, the imposition of
the measures included in the Initiation Agreement.



                           FOUNDATIONS OF LAW

                                           Yo
                                    Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/23








regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                           II
                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or a penalty can be imposed

pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


According to what was indicated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202303754, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: ORDER MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A to
that within 90 days from when this resolution becomes final and enforceable,
notify the Agency of the adoption of the measures described in the
legal foundations of the Initiation Agreement transcribed in this resolution.


THIRD: NOTIFY this resolution to MAPFRE INVERSIÓN SOCIEDAD
DE VALUES, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23










administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                   1259-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency






















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202303754&oldid=42145"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki